Fix use_cookies framework session configuration

alexander-schranz · fabpot · commit 2f59c5a79c2c · 2022-04-08T06:52:37.000+02:00
diff --git a/src/Symfony/Component/HttpKernel/EventListener/AbstractSessionListener.php b/src/Symfony/Component/HttpKernel/EventListener/AbstractSessionListener.php
@@ -148,42 +148,45 @@ public function onKernelResponse(ResponseEvent $event)
             $sessionCookieSecure = $sessionOptions['cookie_secure'] ?? false;
             $sessionCookieHttpOnly = $sessionOptions['cookie_httponly'] ?? true;
             $sessionCookieSameSite = $sessionOptions['cookie_samesite'] ?? Cookie::SAMESITE_LAX;
+            $sessionUseCookies = $sessionOptions['use_cookies'] ?? true;
 
             SessionUtils::popSessionCookie($sessionName, $sessionId);
 
-            $request = $event->getRequest();
-            $requestSessionCookieId = $request->cookies->get($sessionName);
-
-            $isSessionEmpty = $session->isEmpty() && empty($_SESSION); // checking $_SESSION to keep compatibility with native sessions
-            if ($requestSessionCookieId && $isSessionEmpty) {
-                $response->headers->clearCookie(
-                    $sessionName,
-                    $sessionCookiePath,
-                    $sessionCookieDomain,
-                    $sessionCookieSecure,
-                    $sessionCookieHttpOnly,
-                    $sessionCookieSameSite
-                );
-            } elseif ($sessionId !== $requestSessionCookieId && !$isSessionEmpty) {
-                $expire = 0;
-                $lifetime = $sessionOptions['cookie_lifetime'] ?? null;
-                if ($lifetime) {
-                    $expire = time() + $lifetime;
-                }
+            if ($sessionUseCookies) {
+                $request = $event->getRequest();
+                $requestSessionCookieId = $request->cookies->get($sessionName);
 
-                $response->headers->setCookie(
-                    Cookie::create(
+                $isSessionEmpty = $session->isEmpty() && empty($_SESSION); // checking $_SESSION to keep compatibility with native sessions
+                if ($requestSessionCookieId && $isSessionEmpty) {
+                    $response->headers->clearCookie(
                         $sessionName,
-                        $sessionId,
-                        $expire,
                         $sessionCookiePath,
                         $sessionCookieDomain,
                         $sessionCookieSecure,
                         $sessionCookieHttpOnly,
-                        false,
                         $sessionCookieSameSite
-                    )
-                );
+                    );
+                } elseif ($sessionId !== $requestSessionCookieId && !$isSessionEmpty) {
+                    $expire = 0;
+                    $lifetime = $sessionOptions['cookie_lifetime'] ?? null;
+                    if ($lifetime) {
+                        $expire = time() + $lifetime;
+                    }
+
+                    $response->headers->setCookie(
+                        Cookie::create(
+                            $sessionName,
+                            $sessionId,
+                            $expire,
+                            $sessionCookiePath,
+                            $sessionCookieDomain,
+                            $sessionCookieSecure,
+                            $sessionCookieHttpOnly,
+                            false,
+                            $sessionCookieSameSite
+                        )
+                    );
+                }
             }
         }
 
diff --git a/src/Symfony/Component/HttpKernel/Tests/EventListener/SessionListenerTest.php b/src/Symfony/Component/HttpKernel/Tests/EventListener/SessionListenerTest.php
@@ -66,13 +66,19 @@ public function testSessionCookieOptions(array $phpSessionOptions, array $sessio
         $listener->onKernelResponse(new ResponseEvent($kernel, $request, HttpKernelInterface::MAIN_REQUEST, $response));
 
         $cookies = $response->headers->getCookies();
-        $this->assertSame('PHPSESSID', $cookies[0]->getName());
-        $this->assertSame('123456', $cookies[0]->getValue());
-        $this->assertSame($expectedSessionOptions['cookie_path'], $cookies[0]->getPath());
-        $this->assertSame($expectedSessionOptions['cookie_domain'], $cookies[0]->getDomain());
-        $this->assertSame($expectedSessionOptions['cookie_secure'], $cookies[0]->isSecure());
-        $this->assertSame($expectedSessionOptions['cookie_httponly'], $cookies[0]->isHttpOnly());
-        $this->assertSame($expectedSessionOptions['cookie_samesite'], $cookies[0]->getSameSite());
+
+        if ($sessionOptions['use_cookies'] ?? true) {
+            $this->assertCount(1, $cookies);
+            $this->assertSame('PHPSESSID', $cookies[0]->getName());
+            $this->assertSame('123456', $cookies[0]->getValue());
+            $this->assertSame($expectedSessionOptions['cookie_path'], $cookies[0]->getPath());
+            $this->assertSame($expectedSessionOptions['cookie_domain'], $cookies[0]->getDomain());
+            $this->assertSame($expectedSessionOptions['cookie_secure'], $cookies[0]->isSecure());
+            $this->assertSame($expectedSessionOptions['cookie_httponly'], $cookies[0]->isHttpOnly());
+            $this->assertSame($expectedSessionOptions['cookie_samesite'], $cookies[0]->getSameSite());
+        } else {
+            $this->assertCount(0, $cookies);
+        }
     }
 
     public function provideSessionOptions(): \Generator
@@ -126,6 +132,12 @@ public function provideSessionOptions(): \Generator
             'sessionOptions' => ['cookie_path' => '/test/', 'cookie_httponly' => true, 'cookie_secure' => true, 'cookie_samesite' => Cookie::SAMESITE_LAX],
             'expectedSessionOptions' => ['cookie_path' => '/test/', 'cookie_domain' => '', 'cookie_secure' => true, 'cookie_httponly' => true, 'cookie_samesite' => Cookie::SAMESITE_LAX],
         ];
+
+        yield 'set_use_cookies_false_by_symfony' => [
+            'phpSessionOptions' => [],
+            'sessionOptions' => ['use_cookies' => false, 'cookie_domain' => '', 'cookie_secure' => true, 'cookie_httponly' => true, 'cookie_samesite' => Cookie::SAMESITE_LAX],
+            'expectedSessionOptions' => [],
+        ];
     }
 
     /**
